Freely subscribe to our NEWSLETTER

Cisco Talos has recently observed multiple campaigns using the Remcos remote access
tool (RAT) that is offered for sale by a company called Breaking
Security. While the company says it will
only sell the software for legitimate uses as described in comments in response to
the article
here and
will revoke the licenses for users not following their EULA, the sale of the RAT
gives attackers everything they need to establish and run a potentially illegal
botnet.

Remcos’ prices per license range from €58 to €389. Breaking Security also offers
customers the ability to pay for the RAT using a variety of digital currencies. This
RAT can be used to fully control and monitor any Windows operating system, from
Windows XP and all versions thereafter, including server editions.

In addition to Remcos, Breaking Security is also offering Octopus
Protector, a cryptor designed to allow
malicious software to bypass detection by anti-malware products by encrypting the
software on the disk. A YouTube video available on the Breaking Security channel demonstrates the tool’s ability to
facilitate the bypass of several antivirus protections. Additional products offered
by this company include a keylogger, which
can be used to record and send the keystrokes made on an infected system, a mass
mailer that can be used to send large
volumes of spam emails, and a DynDNS
service that can be leveraged for
post-compromise command and control (C2) communications. These tools, when combined
with Remcos provide all the tools and infrastructure needed to build and maintain a
botnet.

Within Cisco’s Advanced Malware Protection (AMP) telemetry, we have observed several
instances of attempts to install this RAT on various endpoints. As described below,
we have also seen multiple malware campaigns distributing Remcos, with many of these
campaigns using different methods to avoid detection. To help people who became
victims of a harmful use of Remcos, Talos is providing a
decoder
script that can extract the C2 server addresses and other information from the
Remcos binary.